ToTP Multi Factor Authentication OpenVPN with pfsense and FreeRadius

Thank you for putting this video together, Tom. This is an awesome feature that improves security greatly!

rogerosbu

Great educational footage Tom! As usual. Any chance for another one consisting of pfSense, OpenVPN, FreeRadius employing YubiKey 5 device?

rafalkolodziej

pfSense Advanced server settings:

reneg-sec 0;

otherwise you gotta re-auth every hour by default. Can set 0 to any time period you want.. 0 means dont re-negotiate auth.

jamlab

A really useful video. I would really appreciate if you can do a tutorial on TOTp auth for webgui of pfsense

DeepanSiddarthank

Would love to see how we can get MOTP setup and working with the
How cool would that be, to login to windows 10 with your TOTP...? :)

iowawizkid

Very cool video! I might have to play with this. Just a note, ToTP codes cycle every 30 seconds, not 60.

philipcook

How can we disable PIN usage? We want to be able to login to the system using only rolling code.

emre-durgut

What about Window Clients using OpenVPN GUI?

seanhulbert

Had this working before on 2.6.x, but after upgrading to 2.7.0 I cannot get ToTP working anymore, static password for tunnel works fine. Ideas?

asek

How do you do that echo keystroke to screen thang?

nickharvey

I've been follow ur tutorial and everything is well ;) Ty, but, BTW, I'm losing connection every hour (60m or 3600s), I've already set on OpenVPN Custom Options (reneg-sec 0), but I'm still drop every hour and I need to make a new token validation. I was looking at FreeRadius setting but I've no clue where can I set it to improve the amount time or disable. If anyone can help me, I will appreciate a lot. Thx

LFMTHEONE

Thanks for your video :) My OpenVPN uses my server's LDPA for authentication. Is it possible to use double authentication anyway? or do I have to use the freeradius? thx

Droodkast

hi everyone, i face this error while connecting from client. "pfsense tls error tls key negotiation failed to occur within 60 seconds", kindly help...

neymat

Could this work with Active Directory credentials instead of the pin?

brianthomason

I have a question about this. OpenVPN re-auths every hour. If we pick a time in the video, say 6:30, and see the 4th line after you've entered your pin+token, you get a warning letting you know that the password is cached. Under normal circumstances, when OpenVPN re-auths, it'll use that cached password, and you won't notice a thing. With ToTP active, do you have to re-enter your password every time OpenVPN re-auths? I would hope that the server side would see the password as invalid, as your token has rolled over several times by that point. Or is this an instance of "once you're in, you're in?"

praecorloth

As a heads up, I did some testing and as of 2.4.4_3 if your users are connecting for more than an hour at a time you may want to add reneg-sec 0 (default 3600) to the openvpn additional config options, as the default of 3600 means that every hour the server will ask for a password from the client again, and the client just provides the ping+otp from an hour ago which fails with no message on the client, still a green icon but no traffic going through to the VPN.



reneg-sec 0 should set it to never reauthenticate. (I set mine to 28800 as I figured 8 hours was plenty for whatever I'm doing over the VPN)

GarryDeWitt

Isn’t running freeradius on the router a bit like putting all your eggs in one basket? Just a open discussion. Personally I would keep it for firewall and routing only. VPN and radius separate.

thingyee

Hi, has anyone been able to achieve: pfSense + OpenVPN + Active Directory + Google 2FA ??
or even: pfSense + OpenVPN + FreeIPA (LDAP) + Google 2FA ??

I believe Radius needs to be thrown into the mix.


I see all sort of other combination

zparihar

is there any option in pfsense to vpn user to authenticate with mac filtering

pakonline

So there is no way to use an alphanumeric pin?

ExaByteTutorials